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Abstract. We present an infinite familiy of APN functions on GF(2 sk ) 
with (k, 3) = 1. 



1 Introduction 

Let L = GF(2 n ) for some positive integer n. A function / : L — ► L is said to 
be almost perfect nonlinear (APN) on L if the number of solutions in L of the 
equation 

f{x + q)+f{x)=p 

is at most 2, for all p, q € L, q ^ 0. Equivalently, / is APN if the set {f(x + q) + 
f{x) : x 6 L} has size 2™" 1 for each q 6 L*. Clearly, as L has characteristic 2, 
the number of solutions to the above equation must be an even number for any 
function / on L. 

APN functions were introduced in [9] by Nyberg, who defined them as the 
mappings with highest resistance to differential cryptanalysis. In other words, 
APN functions are those for which the plaintext difference x + y yields the 
ciphertext difference f(x) + f(y) with probability 1/2™. Since Nyberg's char- 
acterization, many papers have been written on APN functions, although not 
many different families of such functions are known. 

Two functions f,g:L — > L are called extended affine (EA) equivalent 
if there exist affine permutations A± , Ai and an affine map A such that g = 
A\ o f o A 2 + A. 

Until recently, all known APN functions were EA equivalent to one of a short 
list of monomial functions, namely the Gold, Kasami- Welch, inverse, Welch, Niho 
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and Dobbertin functions. For some time it was conjectured that this list was the 
complete list of APN functions up to EA equivalence. 

A more general notion of equivalence has been suggested in [6], which is 
referred to as Carlet-Charpin-Zinoviev (CCZ) equivalence. Two functions are 
called CCZ equivalent if the graph of one can be obtained from the graph of the 
other by an affine permutation of the product space. EA equivalence is a special 
case of CCZ equivalence. 

We say that / : L — > L is differentially to— uniform if the polynomial 
f(x + q) + f(x) +p has at most m zeroes in L. Then / is APN on L if and only 
if it is differentially 2- uniform on L. 

Differential uniformity and resistance to linear and differential attacks are in- 
variants of CCZ equivalence, and as opposed to EA equivalence, any permutation 
is CCZ equivalent to its inverse. 

In [4], Proposition 3, the authors express necessary and sufficient conditions 
for EA equivalence of functions in terms of CCZ equivalence and use this to 
construct several examples of APN functions that are CCZ equivalent to the 
Gold functions, but not EA equivalent to any monomial function. This showed 
that the original conjecture is false. The new question was whether all APN 
functions are CCZ equivalent to one on the list. 

In 2006 a sporadic example of a binomial APN function that is not CCZ 
equivalent to any power mapping was given in [8]. A family of APN binomials 
on fields F 2 «, where n is divisible by 3 but not 9, was presented in [2]. In [3] 
these have been shown to be EA inequivalent to any monomial function, and 
CCZ inequivalent to the Gold or Kasami- Welch functions. For the case n = 6, 
in [7] Dillon presented a list of CCZ inequivalent APN functions on GF(2 n ), 
found by computer search. In general, establishing CCZ equivalence of arbitrary 
functions is extremely difficult. There are, however, a number of invariants of 
CCZ equivalence that can be useful in the classification of functions. A nice link 
with coding theory is that a pair of functions / and g on L are CCZ equivalent 
on L if and only if the matrices 



H f = 



Xl • • • x 2 « 

/(Xl)---/( X2 n) 



Xl • • • x 2 « 
.g(xi) ■■■g(x 2 n) 



are parity check matrices for codes whose extended codes are equivalent over 
GF(2), where Xi,/(xi) and g(xi) are expressions of Xi,f{xi) and g{xi) respec- 
tively as binary vectors of length n in L viewed as a GF(2) vector space and 

L = {xi, ...,X 2 n}. 

Motivated by these works, in this paper we introduce a new family of APN 
functions on fields of order 2 3k where k is not divisible by 3. The family of 
polynomials has the form 

F(x) = u 2k x 2 ~ k+2k+s + ux r+1 + vx 2 ~ k+1 + wu 2k+1 x 2k+s+2S (I) 

with certain constraints on the integers s, k and on u,v,w E GF(2 3k ) (see The- 
orem I). 
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In the next section we show that the polynomials of type (1) are indeed APN 
on GF(2 3k ). Using code equivalence, in Section 3 we show that for n = 6 the 
functions are CCZ inequivalent to any known power functions and are equivalent 
to one of the trinomials listed by Dillon in [7] . 

2 New APN functions 

The following theorem will show that we can obtain quadratic quadrinomial 
APN functions on GF(2 n ) whenever n is divisible by three but not nine. A 
quadratic monomial is one of the form x 2 +2 ' for some integers i and j. Observe 
that if f(x) = x T+2 \ then 

f(x + q ) + f(x) + f( q )=x 2 'q 23 +x 2 \ 2t 

is a linear function in x, whose kernel has the same size as any of its translates, 
such as the solution set of f(x) + f(x + q) = p in L, for any p G L. 

Note that because of this property, proving whether or not a quadratic poly- 
nomial is APN is more tangible than one that is not quadratic. For this reason, 
all of the recently discovered families of APN functions inequivalent to power 
mappings have been quadratic. 

We will show that our polynomial F(x) is APN by computing the size of the 
kernel of the corresponding linear map 

F(x + q) +F(x) +F(q). 

Theorem 1. Let s and k be positive integers with k + s divisible by three and 
(s,3k) = (3,/c) = 1. Let u be a primitive element of GF(2 3k ) and let v,w € 
GF(2 k ) with v ^ io _1 . Then the function 

r-r/ \ 2 k 2~ k +2 k+s , 2 S + 1 i 2~ k +l i 2 k + l 2 k + a +2 s 

F(x) = U X + + UX + + VX ^ + WU X ^ 

is APN over GF(2 3k ). 
Proof: 

We show that for every p and q (with q ^ 0) in GF(2 3k ) the equation 

F(x) + F(x + q)=p 
has at most two solutions by counting the number of solutions to the equation 

F(x) + F(x + q) + F(q) = 0. 

This gives 

F(x) + F(x + q) + F(q) = u 2 " (x 2 ^" q 2 ~" + ^V^') + u{x r q + q r x) 

+ v(x 2 q + q 2 x) +wu 2 +1 (x 2 q 2 + q 2 x 2 ) = 0. 
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Replace x with xq to obtain 

2 k 2 -k +2 k+s 2 k + s 2 -fc 2 3 + l/ 2 s , \ , 2~ fc +l/ 2~ fc i \ 

M g T (x + x ) + uq T (x + x) + vq (x + x) 

2 k + l 2 k + s +2 s l 2 s i 2 k+s \ n 

+wu ^ q ^ (x +x ) = 0, 

and collect terms in x to get 

A(x) := ( vq 2 - k+1 + uq r+1 )x + (v^~" +1 + u 2 * q 2 ^^ )x~ k 
+ (wu 2k+1 q 2k+S+2S + uq 2S + 1 )x 2S + {wu 2 * +\ 2k+S + 2 ° + u 2 * q 2 '^ 2 ^ )x k+s = 0. 

We write 

A(x) = Ax + Bx 2 ~" + Cx r + Dx 2 " +S 

where 

A 2~ k + l , 2 S + 1 7-> 2~ k +l , 2 fc 2~ fc +2 fc+s 

A = vq ^ +uq , B = vq ^ +u q ^ , 

„ 2 fc + l 2 fc + s +2 s , 2 S + 1 7-1 2*+! 2 fc+s +2 s , 2 fc 2~ fc +2 fc + s 

6 — wu q + uq ^ , D = wu ^ q ^ + u q ^ 

Clearly is a root of A(x). Moreover A(l) = A + B + C + D = 0.lfwc show 
that A(x) = permits only and 1 as solutions for x then we will have proved 
that F(x) is APN on GF(2 3k ). First we demonstrate that none of A,B,C or 
D vanish for any q G GF(2 3k )* . If A = we have u = vq 2 k ~ 2S which implies 
u 2> " = vq 1 ~ 2h+s . By hypothesis, k + s is divisible by three so that 1 — 2 k+s is 
divisible by seven, and hence q 1 ^ 2 is a 7th power in GF(2 3k ). Since 3 does 
not divide k, 7 does not divide 2 k — 1, so the map x i— » a; 7 is a permutation on 
GF(2 k ). Then u e GF(2 k ) can be expressed as a 7th power. This means that 
w 2 and hence w is a 7th power in GF(2 3k ). This gives a contradiction as seven 
is a divisor of 2 3k — 1 and we chose u to be primitive in GF(2 3k ). We deduce 
that A ^ 0. Similar arguments show that B, C and D are all nonzero. 
Next we define the linearized polynomial: 



Lg(T) :=T + 8T 2k +8 2k+1 T 2 ~ 



When T = 6x + x 2 and 6 is a (2 fe — l)-th power, a routine calculation verifies 
that Lg(T) = for all x e GF(2 3k ). Observe that 



A vq 2 k+1 +uq T + 1 v + uq 2 ° 2 



S ~ wg 2^+l +M 2^2^+2^ - V + U 2" q 2"+--1 ~i V + U <l ) 

which gives 

La ( ^-x + x 2 I = 0. (2) 



B 



Now 



— \-^- = — x + .x 2 + — x 2 + — a; fc+;s ) = 0. 
B B ' B B 
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Applying this to Equation 2 gives 



We compute this as 



(B + C + D 2 A 2+1 )x r + {B + D + B AC )x 

+ (B 2 ~ k AD 2k + A 2k+1 C 2 ~ k )x 2 ~ k+s = 0. 

We substitute in the values of A, B, C, and D and after simplification we obtain 
the following 

/ i i\ 2 fc +l+2 s / 2~ k i 2 s w 2 k 2 k+3 +2 k , 2~ k 2~ k+s + l\ 2 s 

(vw + ljuq {vq + uq )(u q + u q )x 

, / -i \ 2 k 2 k + l+2 k+a r 2~ k , 2 s \r 2 k +2 3 , 2~ k 2~ fc+s +2~ fc \ 2 k+s 

+ {vw + l)u q {vq + uq ){uq T + u q T )x 

, / i i\ 2~ fc 2 fc +l+2~ fc+s / 2~ fc , 2 s \f 2 k 2 k+s +2~ k , 2 S +1\ 2~ fe+s n 

+ l)u ? (v<7 + ){u q + uq ^ )x =0. 

As we chose v and w such that v ^ w^ 1 and as A ^ we can divide the equation 
by (vw + l)q 2k+1 (vq 2 k +uq 2S )u 2 k+1 q 2 fc+s +2 s +i an d take the expression to the 
2~ s — th power to obtain 

(1 + a~ 2k ~ S )x + {a 2 " + a~ 2k ~ S )x k + (1 + a 2 ~ s )x 2 ~ k = 0, (1) 

where a = u 2 '°~ 1 q 2 k +2 k+a -2 s -i^ ^ ow we consider Lc(^) = 0. Wc know 
Lc(x r + %x 2k+s ) = 0, as 



C wu 2k+1 q 2k+S + 2 ' + uq 23+1 



1 2- K -2 s \2 fc -l 



[w + u L q z 2 ) 



D wu 2k + 1 q 2k+s+2s +u 2 "q 2 - k + 2k+s 
This implies Lc(jjX + j^x 2 k ) = 0, which we compute as 

(C 2 ~ k+2k A + C 2 ~ k DB 2 ")x + (C 2 ~ k DA 2 " + D 2 " +l B 2 ~ k )x k 
+ {C 2- k +2 k B + D 2k +i A -k )x 2 - k = Q 
A similar computation to the one used above will yield 

(1 + a,- 2 ~ k )x + (1 + a)x 2 " + (a + a,- 2 ~ k )x 2 ~ k = 0. (2) 

Now we combine equations (1) and (2) such that the terms in x 2 k cancel. This 
will give 

((1 + a- 2k - s )(a + a- 2 ~ k ) + (1 + a~ 2 ~ k )(l + a- s ))x+ 
((a 2 ~ s + a- 2k ~ 3 )(a + a- 2 ~") + (1 + a)(l + a- s ))x 2 " = 
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which is the same as 

((1 + a- 2k ~ S )(a + a- 2 '") + (1 + a- 2 ~ k )(l + a 2 ~ S ))(x + x 2 " ) = 0. 

If we show that (1 + a - 2 ^ s )(a + a' 2 ^) + (1 + fl- 2 ^)(l + a 2 ") ± for all 
possible values of a then we could conclude that x € GF{2 k ). To this end we 
consider the expression 

(1 + a- 2k ~ S )(a + a- 2 ~") = (1 + fl- 2 ^)(l + a 2 "). 
Rearranging we obtain 

(l + q- 1 ) 2 '" (l + a) 2 ' S 
a ~ (l + a- 1 ) 2 " 3 (l + a) 2fc ' 

This implies a is a (2 k+s — l)-th power which in turn implies that it is a seventh 
power. As a = u 2k ~ 1 q 2 k +2 k+s -2°-i _ u 2 l -i (? (2 t+s -i)(i-2 fc ) we gee if a i s 

a seventh power then so is u 2 _1 but this is not possible as k is not divisible by 
three and u is primitive. We can now state that all solutions to A(x) — are in 
GF(2 k ). Applying this to our original expression for A(x) gives 

(uq 2S + 1 + u 2k q 2 ~ k+2k+3 )(x + x r ) = 0. 

If uq 2S+1 + u 2k q 2 fc +2 l+s _ q then a = 1, but 1 is a seventh power, hence 
(x + x 2 ) = which implies x = or 1 as s is relatively prime to 3k. 

3 The Case n = 6 

For the case n = 6 the polynomials introduced here takes one of the following 
forms: 

ux 3 + vu 5 x w + vx 17 + u i x 2A 
ux 3 + vx 17 + u A x 2A 
ux 3 + vu 5 x w + u A x 2i 
ux 3 + u 4 x 2i , 

for some primitive element u G GF(2 6 ) and v G GF(A). In the first 3 cases, the 
polynomials are CCZ equivalent to 

x 3 + x w + ux 2 \ 

which appears in Dillon's list, and in the last instance the polynomial is CCZ 
equivalent to x 3 . 
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